IPSec

ASIM SHARIF SATTI

Cryptographic System

2
 Secure Shell
Secure Shell (SSH) functions as a type of tunneling
mechanism that provides terminal-like access to remote
computers.
SSH is a program and a protocol that can be used to log into
another computer over a network.
SSH provides authentication and secure transmission over
vulnerable channels like the Internet.
SSH is a program and a set of protocols that work together to
provide a secure tunnel between two computers.

For example, the program can let Paul, who is on computer A,

access computer B’s files, run applications on computer B, and
retrieve files from computer B without ever physically touching
that computer.
 Secure Shell

SSH should be used instead of Telnet, FTP etc, which

provide the same type of functionality SSH offers but
in a much less secure manner.

The two computers go through a handshaking process

and exchange (via Diffie-Hellman) a session key that
will be used during the session to encrypt and protect
the data sent. The steps of an SSH connection are
outlined in the Figure.
 S
H
Once the handshake takes place and a secure channel is
established, the two computers have a pathway to exchange data
with the assurance that the information will be encrypted and its
integrity will be protected.
3.19.7 Virtual Private Networks (VPNs)

3 types
 Intranet – Within an organization
 Extranet – Outside an organization
Copyright Remote
Pearson Access –2010
Prentice-Hall Employee to Business 6
 Four Protocols used in VPN
 PPTP -- Point-to-Point Tunneling Protocol

 L2TP -- Layer 2 Tunneling Protocol

 IPsec -- Internet Protocol Security

 SOCKS – is not used as much as the ones

above
 3.19.8 IPSEC (Internet Protocol Security)
The Internet Protocol Security (IPSec) protocol suite
provides a method of setting up a secure channel for
protected data exchange between two devices. The
devices that share this secure channel can be two
servers, two routers, a workstation and a server, or
two gateways between different networks.

IPSec is a widely accepted standard for providing

network layer protection. It can be more flexible and
less expensive than end-to-end and link encryption
methods.
 IPSEC (Internet Protocol Security)
IPSec has strong encryption and authentication
methods, and although it can be used to enable
tunneled communication between two computers, it
is usually employed to establish virtual private
networks (VPNs) among networks across the
Internet.

IPSec is not a strict protocol that dictates the type of

algorithm, keys, and authentication method to use.
Rather, it is an open, modular framework that
provides a lot of flexibility for companies when they
choose to use this type of technology.
 IPSEC (Internet Protocol Security)
IPSec uses two basic security protocols:
Authentication Header (AH) and
Encapsulating Security Payload (ESP).

AH is the authenticating protocol, and

ESP is an authenticating and encrypting protocol that
uses cryptographic mechanisms to provide source
authentication, confidentiality, and message integrity.
IPSEC (Internet Protocol Security)
IPSec can work in one of two modes:
transport mode, in which the payload of the message
is protected, and
tunnel mode, in which the payload and the routing
and header information are protected.

In transport mode encrypts the actual message

information so it cannot be sniffed and uncovered by
an unauthorized entity. Tunnel mode provides a
higher level of protection by also protecting the
header and trailer data an attacker may find useful.
IPsec Encapsulating Security Payload (ESP) Header and Trailer in
Transport and Tunnel Modes

Raymond Panko
12
IPsec Operation: Transport Mode
1.
End-to-End
Security
(Good)

2. 3.
Security in Setup Cost
Site Network On Each Host
(Good) (Costly)

Raymond Panko
13
IPsec Operation: Tunnel Mode

2. 3.
No Security in No Setup Cost
Site Network On Each Host
(Bad) (Good)

Copyright Pearson Prentice-Hall 2010 Raymond Panko

14
 Comparing IPsec Transport and Tunnel Modes
Characteristic Transport Mode Tunnel Mode
Uses an IPsec VPN No Yes
Gateway?
Cryptographic All the way from the Only over the Internet
Protection source host to the between the IPsec
destination host, gateways. Not within
including the Internet the two site networks.
and the two site
networks.

Setup Costs High. Setup requires Low. Only the IPsec

the creation of a digital gateways must
certificate for each implement IPsec, so
client and significant only they need digital
configuration work. certificates and need to
be configured.

Raymond Panko
Copyright Pearson Prentice-Hall 2010 15
 The Figure shows the high-level view of the steps of
setting up an IPSec connection.

SA- A Security Association (SA) is the establishment of

shared security attributes between two network entities to
support secure communication. An SA may include attributes such as:
cryptographic algorithm and mode; traffic encryption key; and
parameters for the network data to be passed over the connection.
IPSEC (Internet Protocol Security)
Each device will have at least one security association
(SA) for each secure connection it uses. The SA, which
is critical to the IPSec architecture, is a record of the
configurations the device needs to support an IPSec
connection.
When two devices complete their handshaking
process, which means they have agreed upon a long
list of parameters they will use to communicate,
these data must be recorded and stored
somewhere, which is in the SA. The SA can contain
the authentication and encryption keys, the agreed-
upon algorithms, the key lifetime, and the source IP
address.
IPsec Security Associations

Raymond Panko
18
IPSEC (Internet Protocol Security)
When a device receives a packet via the IPSec protocol, it is
the SA that tells the device what to do with the packet. So if
device B receives a packet from device C via IPSec, device B
will look to the corresponding SA to tell it how to decrypt the
packet, how to properly authenticate the source of the packet,
which key to use, and how to reply to the message if
necessary.

SAs are directional, so a device will have one SA for

outbound traffic and a different SA for inbound traffic
for each individual communication channel. If a
device is connecting to three devices, it will have at
least six SAs, one for each inbound and outbound
connection per remote device.
IPSEC (Internet Protocol Security)

So how can a device keep all of these SAs organized

and ensure that the right SA is invoked for the right
connection?
With the mighty security parameter index (SPI), that’s
how.

Each device has an SPI that keeps track of the different SAs
and tells the device which one is appropriate to invoke for the
different packets it receives.
The SPI value is in the header of an IPSec packet, and the
device reads this value to tell it which SA to consult, as
depicted in the Figure.
IPSEC (Internet Protocol Security)

IPSec can authenticate the sending devices of the

packet by using MAC.
The ESP protocol can provide authentication,
integrity, and confidentiality if the devices are
configured for this type of functionality.
if a company just needs to make sure it knows the
source of the sender and must be assured of the
integrity of the packets, it would choose to use AH.
IPSEC (Internet Protocol Security)

If the company would like to use these

services and also have confidentiality, it
would use the ESP protocol because it
provides encryption functionality. In most
cases, the reason ESP is employed is because
the company must set up a secure VPN
connection.